This can be quite time consuming if it is the first time you set up an ssl endpoint. Here is how I did it :
- Purchase a RapidSSL certificate for my domain on www.trustico.com. Make sure to use the insurance option so that you can download the private key later. I had to setup an email account at email@example.com so that I could receive their confirmation link email.</li> <li>Once you have bought your certificate, login in to you Trustico account and download your certificate, the intermediate certificate, and the private key.</li><li>Concatenate the final and intermediate certificates to a single file (let’s call it server.crt).
- Add the ssl endpoint add on to your Heroku application
heroku addons:add ssl:endpoint
- Upload your certificate
heroku certs:add server.crt private.key
- Run the following and verify that you have an ssl endpoint with an explicit trusted ‘True’ value
- Note the ssl-endpoint full domain from the previous command line, and add a DNS CNAME record from your domain to this endpoint
- Check that there are no A DNS records pointing to Heroku IPs on your dns configuration (It used to be the case with older versions of Heroku)
- Wait until dns servers are updated to check that it is working.
Any certificate will eventually expire, and need to be renewed. The process for this (at Trustico at least) is to generate a completely new certificate. To install this new certificate on Heroku, start by combining the new certificate files as you did the first time, and then use
heroku certs:update server.crt private.key
instead of Heroku certs:add. This should be enough, there is no need to update any dns entry.
To make sure the new certificate is used, visit the Heroku ssl endpoint directly (get it by running Heroku certs) and then visit your ssl site to check the certificate infos from your browser.